The EU General Data Protection Regulation (GDPR) took effect in all EEA countries on 25 May 2018 and its impact is being felt globally. Japanese businesses are now acting to ensure they are sufficiently equipped to deal with the more onerous rules. A quarter has made progress on meeting some of the easier requirements with half of businesses planning to do so.

The GDPR is designed to protect the online data of European citizens and therefore the regulation applies to, not only EU businesses, but any business worldwide that offers goods and services within the EU.

Consultancy firm PWC Global conducted research found that just 19% of Japanese businesses in Europe have completed steps to respond to the GDPR. Japan and the EU have agreed in substance an adequacy framework to ease the administration burden on Japanese companies seeking to comply with the new law. For now, however, Japanese companies must play catch up and act quickly to put in place safeguards to comply with the globally-affecting GDPR. Japanese companies who have not started preparing for GDPR as of yet are not alone and we are rapidly experiencing a rush of new instructions in light of the recently enacted law.

Hiroshi Miyashita, associate professor of law at Chuo University says corporate leaders don't seem aware of the risks (1) associated with GDPR violations and companies should also look at the contracts they have with outsourcing companies that handle their personal data as it could leave them liable for the failure to comply by a third party.

The ICO is imposing harsher penalties for non-compliance with the GDPR with a limit of €20 million or 4% of a business’s annual global turnover, whichever of the two is higher. That’s in addition to compensation and damages that claimants may be entitled to under their enhanced rights. We’ve seen significant sums imposed on WM Morrison Supermarkets (2) and Carphone Warehouse (3) recently, and now with more stringent regulations and a much increased maximum penalty, there is a greater need to comply.

There is now a requirement to report any breaches to the ICO within 72 hours, whereas previously there was no timeframe or obligation to do so. As it stands only 7% of Japanese companies however, are currently in a position to comply with this rule.

A survey, conducted for Reuters by Nikkei Research (4), found that 26% of Japanese firms have updated data privacy policies to take into account requirements such as the need for clear language and the seeking of affirmative consent, often effectively an opt-in email. Japanese businesses must ask for permission to move users’ information outside the EU. Businesses must update their privacy notices and determine which sections require modifications to comply with the GDPR checklist, including the legal basis and purposes of data processing and the personal data retention periods and how the personal data is stored.

Japanese businesses should join other global businesses to have provisions in place to ensure they are equipped to deal with any upcoming cases or requests. The standards of corporate responsibility have intensified and customers will demand accountability and compliance. The rules are tough, but they are not going anywhere; Japanese businesses that operate in Europe must adhere to them, or they risk paying the price.

As Japan's data-protection agency scrambles to negotiate a deal with the European Commission on personal-data transfers, Japanese companies are watching and waiting. Adopting the ‘wait and see’ approach may leave the 2,500 Japanese companies operating in the EU vulnerable to the new set of rules. We hope it will not take a Japanese company getting punished with a hefty fine for GDPR violations for all Japanese companies to become fully aware of the risks.
Don’t let it be you. It is time to face the music and ensure you are GDPR-compliant.

**Links to further details:
For further information, please contact Koichiro Nakada – Head of Japan Business Group ( and Yoko Nakada - Senior Associate, Deputy Head of Japan Business Group (
The information and any commentary on the law contained in this bulletin is provided free of charge for information purposes only. No responsibility for its accuracy and correctness, or for any consequences of relying on it, is assumed by Lewis Silkin LLP or Centre People Appointments. The information and commentary does not, and is not intended to, amount to legal advice and is not intended to be relied upon. You are strongly advised to obtain specific, personal advice from a lawyer about your case or matter and not rely on the information or comments in this bulletin.

This information is supplied by Lewis Silkin LLP www.lewissilkin.comm

Article top